The SessionHandlerInterface class

(PHP 5 >= 5.4.0, PHP 7)

Giriş

SessionHandlerInterface is an
interface which defines a
prototype for creating a custom session handler. In order to pass a custom
session handler to session_set_save_handler() using its
OOP invocation, the class must implement this interface.

Please note the callback methods of this class are designed to be called internally by
PHP and are not meant to be called from user-space code.

The following example provides file based session storage similar to the
PHP sessions default save handler files. This
example could easily be extended to cover database storage using your
favorite PHP supported database engine.

Note we use the OOP prototype with session_set_save_handler() and
register the shutdown function using the function's parameter flag. This is generally
advised when registering objects as session save handlers.

Dikkat

For brevity, this example omits input validation. However, the
$id parameters are actually user supplied values which
require proper validation/sanitization to avoid vulnerabilities, such as
path traversal issues. So do not use this example unmodified in
production environments.

User Contributed Notes 7 notes

As of PHP 7.0, you can implement SessionUpdateTimestampHandlerInterface to define your own session id validating method like validate_sid and the timestamp updating method like update_timestamp in the non-OOP prototype of session_set_save_handler().

SessionUpdateTimestampHandlerInterface is a new interface introduced in PHP 7.0, which has not been documented yet. It has two abstract methods: SessionUpdateTimestampHandlerInterface :: validateId($sessionId) and SessionUpdateTimestampHandlerInterface :: updateTimestamp($sessionId, $sessionData).

<?php/* @author Wu Xiancheng Code structure for PHP 7.0+ only because SessionUpdateTimestampHandlerInterface is introduced in PHP 7.0 With this class you can validate php session id and update the timestamp of php session data with the OOP prototype of session_set_save_handler() in PHP 7.0+ */class PHPSessionXHandler implements SessionHandlerInterface, SessionUpdateTimestampHandlerInterface { public function close(){// return value should be true for success or false for failure // ...} public function destroy($sessionId){// return value should be true for success or false for failure // ... } public function gc($maximumLifetime){// return value should be true for success or false for failure // ...} public function open($sessionSavePath, $sessionName){// return value should be true for success or false for failure // ...} public function read($sessionId){// return value should be the session data or an empty string // ...} public function write($sessionId, $sessionData){// return value should be true for success or false for failure // ...} public function create_sid(){// available since PHP 5.5.1 // invoked internally when a new session id is needed // no parameter is needed and return value should be the new session id created // ...} public function validateId($sessionId){// implements SessionUpdateTimestampHandlerInterface::validateId() // available since PHP 7.0 // return value should be true if the session id is valid otherwise false // if false is returned a new session id will be generated by php internally // ...} public function updateTimestamp($sessionId, $sessionData){// implements SessionUpdateTimestampHandlerInterface::validateId() // available since PHP 7.0 // return value should be true for success or false for failure // ...} }?>

Note that session_start( ) calls open then read and the class returns true for open and the value of session or empty for read.Well, then there is no catch for errors, this is, session_start() must return false on failure, but that is not the case for the class implementation on method open, no matter if you return true or false or whatever from open, it is ignored by session_start() function and proceeds to read methodA bug?, if open returns false, session_start() should stop the next step (read) and return itself false

if(session_start()) ...codeelse exit( );

So forget about session_start() return value, you need to implement an error catch routine and exit() in case of failure on open method

The non-OOP prototype of session_set_save_handler() supports validate_sid and update_timestamp as of PHP 7.0 while the OOP prototype doesn't even in PHP 7.2. However the OOP prototype does support create_sid since PHP 5.5.1.

validate_sid($sessionId) This callback is to validate $sessionId. Its return value should be true for valid session id $sessionId or false for invalid session id $sessionId. If false is returned, a new session id is generated to replace the invalid session id $sessionId.

update_timestamp($sessionId) This call back is to update timestamp, and its return value should be true for success or false for failure.

Your custom session handler should not contain calls to any of the session functions, such as session_name() or session_id(), as the relevant values are passed as arguments on various handler methods. Attempting to obtain values from alternative sources may not work as expected.

I think there is a small "error" in the example of the class MySessionHandler in method gc(). It uses the function filemtime() whose return value is cached by PHP. Add the following line inside the foreach block in the gc() method: